sast-banditlisted

# Bandit Python SAST ## Overview Bandit is a security-focused static analysis tool for Python that identifies common security vulnerabilities and coding anti-patterns. It parses Python code into Abstract Syntax Trees (AST) and executes security plugins to detect issues like hardcoded credentials, SQL injection, command injection, weak cryptography, and insecure API usage. Bandit provides actionable reports with severity classifications aligned to industry security standards. ## Quick Start Scan a Python file or directory for security vulnerabilities: ```bash # Install Bandit pip install bandit # Scan single file bandit suspicious_file.py # Scan entire directory recursively bandit -r /path/to/python/project # Generate JSON report bandit -r project/ -f json -o bandit_report.json # Scan with custom config bandit -r project/ -c .bandit.yaml ``` ## Core Workflow ### Step 1: Install and Configure Bandit Install Bandit via pip: ```bash pip install bandit ``` Create a configuration file `.bandit` or `.bandit.yaml` to customize scans: ```yaml # .bandit.yaml exclude_dirs: - /tests/ - /venv/ - /.venv/ - /node_modules/ skips: - B101 # Skip assert_used checks in test files tests: - B201 # Flask app run with debug=True - B301 # Pickle usage - B601 # Shell injection - B602 # Shell=True in subprocess ``` ### Step 2: Execute Security Scan Run Bandit against Python codebase: ```bash # Basic scan with severity threshold bandit -r . -ll # Report only m